DarkComet From Defense To Offense - Identify your Attacker presented at BSidesUK 2015

by Kevin Breen,

Summary : DarkComet is A Remote Access Trojan that has been around for a while. It has been used by script kiddies and nation states alike. It is no longer in active development and It is well documented and understood. So why would you be interested in me talking to you about this bit of malware?
Because it has an vulnerability and a public exploit that can tell you a lot about the attackers campaign. How many machines has he infected, where are the infected hosts, what information has he stolen from these machines?
Taking the exploit one step further and adding a little imagination and forensics knowledge we can start to identify the attacker himself. Identifying the IP and domain is easy and will give you some info. But what if you could get his daily email address, Facebook details, favourite coffee shop, local library, copy of his CV and if you are really lucky a txt file containing all the credentials for his remote exploit sites and FTP dumps.
This presentation is not going to look at the deep technical aspects of the exploit instead it will start with the defensive posture against dark comet and extract some key information from an attack against you. Finishing with a case study showing what information can be extracted from the attacker.